|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Type : Vendor Assessment |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Short Name |
|
Question / Description |
|
Answer / Value |
|
|
|
|
|
|
|
|
|
|
|
|
Name |
|
Enter the name |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
TPA: Project Name |
|
Whirlpool project name requesting third party or service provider connection |
|
|
* |
|
|
|
|
|
|
|
|
|
TPA: Project Owner |
|
Whirlpool project owner requesting third party or service provider connection |
|
|
* |
|
|
|
|
|
|
|
|
|
TPA: Business Area |
|
Whirlpool business area or process supported by the third party or service provider |
|
|
* |
|
|
|
|
|
|
|
|
|
TPA: Service Provider Name |
|
Service provider company name |
|
|
* |
|
|
|
|
|
|
|
|
|
TPA: Service Provider Contact |
|
Service provider or third party contact |
|
|
* |
|
|
|
|
|
|
|
|
|
TPA: Target Implementation Date |
|
Target implementation date |
|
|
* |
|
|
|
|
|
|
|
|
|
|
TPA: CISO |
|
Vendor Chief Information Security Officer (CISO) or equivalent |
|
|
* |
|
|
|
|
|
|
|
|
|
TPA: User Directory |
|
Choose the user directory used to manage security and provisioning of access on your internal network |
|
|
* |
|
|
|
|
|
|
|
|
|
|
TPA: OS and database |
|
List the operating system and database used to manage Whirlpool data |
|
Select any number |
* |
|
|
|
|
|
|
Mainframe |
|
|
|
|
|
|
|
Unix |
|
|
|
|
|
|
|
AS400 |
|
|
|
|
|
|
|
Windows |
|
|
|
|
|
|
|
Oracle |
|
|
|
|
|
|
|
DB2/UDB |
|
|
|
|
|
|
|
MS SQL |
|
|
|
|
|
|
|
Other |
|
|
|
|
|
|
|
|
|
|
TPA: Datacenter location |
|
List the location of the datacenter that hosts Whirlpool data |
|
|
* |
|
|
|
|
|
|
|
|
|
Short Name |
|
Question / Description |
|
Answer / Value |
|
Comments |
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Organizational Security and Privacy 1 |
|
Has a complete and current Information Security policy been established? |
|
Yes |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Organizational Security and Privacy 2 |
|
Are retention and destruction requirements documented and followed for different classifications of data? |
|
Yes |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Organizational Security and Privacy 3 |
|
Are documented guidelines followed to review relevant laws and regulations; including but not limited to, privacy protection, international privacy law, or data security and their impact to the organizations IS controls? |
|
Yes |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Organizational Security and Privacy 4 |
|
Have documented incident management procedures been established to ensure a timely, effective and orderly response to security incidents including coordination with key partners and customers? |
|
Yes |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Organizational Security and Privacy 5 |
|
Are documented policies followed for enforcing segregation of duties? |
|
Yes |
* |
|
|
|
|
|
|
|
What types of audits are performed? |
2 |
|
|
|
|
WVA: Organizational Security and Privacy 6 |
|
Are audits performed to ensure compliance of systems with organizational security policies and standards? |
|
Yes, external audits are performed on a periodic basis. |
* |
SAS-70 , SOX Audit |
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Organizational Security and Privacy 7 |
|
How often are documented audits/reviews performed of Third Party’s security controls for compliance with service and delivery levels in the agreement? |
|
Semi-annually |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Employment Security 1 |
|
Do employees sign a confidentiality (non-disclosure) agreement as part of the initial terms and conditions of employment? |
|
Yes |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Employment Security 2 |
|
Are verification (background) investigations conducted on applicants for permanent employment, including third party contractors, vendors, and consultants? |
|
Yes for all applicants and is required by contract by any third party vendors |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Employment Security 3 |
|
Are documented guidelines followed for providing security awareness training (SAT) to all personnel? |
|
Yes, training is required at least annually |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Business Continuity 1 |
|
Are controls in place to ensure that back-ups of business information are completed on a regular basis? |
|
Yes, full back-ups are performed weekly |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Business Continuity 2 |
|
Are controls in place to ensure that backed-up information, records of the back-up copies, and documented restore procedures be stored in a remote location? |
|
Yes, back-up are retained off-site at a distance greater than 15 miles |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Business Continuity 3 |
|
Do policies and procedures exists in to ensure that controls applied to media at the main site are extended to the back-up site? |
|
Yes, controls are in place are greater than the main site |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Physical Security 1 |
|
Have controls been established to ensure that physical access to areas with confidential information, and information systems be controlled and restricted to authorized persons only? |
|
Yes, documented approval required with physical access controlled by an electronic card key |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Physical Security 2 |
|
Are documented guidelines followed for granting access to visitors? |
|
Yes, sign in and data center manager approval required |
* |
|
|
|
|
|
|
|
When are the audits performed? |
2 |
|
|
|
|
WVA: Physical Security 3 |
|
How often are reviews of access rights to secure areas are conducted? |
|
Access rights are reviewed semi-annually |
* |
After Every 6 month(dec and july) |
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Physical Security 4 |
|
Are controls in place to address the possibility of damage from fire in secure areas? |
|
Yes, fire detection in place with automated fire suppression system in place |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Physical Security 5 |
|
Have controls been established to ensure uninterruptible power supplies (UPS) are put in place to protect critical equipment from power failures? |
|
Yes, equipment protected by UPS and generator back-up |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Software Development 1 |
|
Are documented guidelines followed to separate development, test and production (operational) environments? |
|
Yes |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Software Development 2 |
|
Are all security requirements identified and justified during the requirements phase of projects? |
|
Yes |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Software Development 3 |
|
Are formal procedures and management responsibilities defined and documented to require satisfactory control of all changes to equipment, software or procedures including formal approval, recording, and communication of changes? |
|
Yes |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Software Development 4 |
|
Do documented guidelines require static code testing, vulnerability scanning, and web application scanning of applications before migration to production |
|
N/A |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Software Development 5 |
|
Do technical compliance checks include static code tests, vulnerability scans, and web application scans for existing systems and applications? |
|
Yes, all three types of testing are deployed at every release |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Software Development 6 |
|
Have controls been established to protect the storing of confidential data on local devices ? |
|
Yes, local encryption required |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Security Operations 1 |
|
How often are security logs reviewed? |
|
Security logs contain user ID, failed log-ins, and other security events and are reviewed weekly |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Security Operations 2 |
|
Are documented guidelines followed to ensure access controls of mobile devices (Laptops, PDA’s Etc.) ? |
|
Yes, encryption required |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Security Operations 3 |
|
Have all critical systems with real-time clocks had their time set and synchronized with a common Network Time Protocol (NTP) service? |
|
Yes |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Security Operations 4 |
|
Are cryptographic systems and techniques used for storage of information that is considered confidential? |
|
Yes, for all confidential data |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Security Operations 5 |
|
Have controls been established to ensure the handling of compromised keys? |
|
Yes, compromised key is revoked |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Security Operations 6 |
|
How often are security or vulnerability patches applied? |
|
Patches are applied more frequently than monthly |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Security Operations 7 |
|
Have controls been established to ensure installation and regular update of anti-virus software to protect computers on a precautionary or routine basis? |
|
Yes, virus definitions are updated daily |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Security Operations 8 |
|
Do the media handling procedures ensure the safe and secure storage of media containing confidential information? |
|
Yes |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Security Operations 9 |
|
Do the media handling procedures ensure the safe and secure disposal of electronic media containing confidential information? |
|
Yes, media is disposed in a way that renders the data irretrievable |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Security Operations 10 |
|
Do the media handling procedures ensure the safe and secure disposal of paper documents containing confidential information? |
|
Yes, media is disposed in a way that renders the document irretrievable |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Security Operations 11 |
|
Is access to the modify job schedules limited to authorized personnel? |
|
Yes |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Security Operations 12 |
|
Have mechanisms been implemented to protect electronically published information (web sites, ftp, etc)? |
|
Yes, PGP or other enhanced encryption |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Security Operations 13 |
|
Have mechanisms been implemented to protect information on media in transit between organizations (i.e. backup tapes)? |
|
Yes, secure package handling controls |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Security Operations 14 |
|
Are the domains with different security needs separated by secure gateways? |
|
Yes, DMZ’s exist for internal and external network |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Security Operations 15 |
|
Are documented guidelines followed for the secure exchange of confidential information to prevent the unauthorized disclosure and misuse? |
|
Yes, documented and encryption is always required |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Security Operations 16 |
|
Are documented guidelines followed to safeguard the confidentiality and integrity of data passing over wireless networks? |
|
Yes, WEP encryption |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Security Operations 17 |
|
Have mechanisms been implemented to protect confidential information contained in electronic mail (Email) between organizations? |
|
Yes, SSL/TLS is required |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Password Controls 1 |
|
Does the authentication method to gain access to the network utilize passwords? |
|
Passwords are used |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Password Controls 2 |
|
What is the minimum password length available to end-users? |
|
Requires at least 6 characters |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Password Controls 3 |
|
How often are end-users forced to change their passwords? |
|
Quarterly |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Password Controls 4 |
|
What are the minimum password complexity requirements being enforced for end-users? |
|
Mixed case alphabetic, numeric, and plus special characters |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Password Controls 5 |
|
Are end-users restricted from using previous passwords (password history)? |
|
No password re-use restrictions |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Password Controls 6 |
|
Are users forced to change their password during first login? |
|
Users are forced to change passwords on first login |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Password Controls 7 |
|
Are passwords hidden during authentication? |
|
Passwords characters are masked |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Password Controls 8 |
|
Is a complete & current mechanism in place to report & reset lost or compromised passwords? |
|
Secure self service password reset mechanism |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Infrastructure Access 1 |
|
When authentication fails, is the user informed of which portion of the authentication process failed? |
|
Message indicates which portion of the authentication process failed |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Infrastructure Access 2 |
|
Are authentication credentials securely communicated across the network? |
|
Authentication credentials are securely encrypted using industry standards |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Infrastructure Access 3 |
|
Are accounts locked after several failed login attempts? |
|
Locked after 3 or more failed attempts |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Infrastructure Access 4 |
|
How long before the system automatically re-enables the account after an account lock out? |
|
Auto unlock after 30 minutes or more |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Infrastructure Access 5 |
|
How often are accounts reviewed for deactivation (due to inactivity, termination, etc)? |
|
Recurring =<6 months |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Infrastructure Access 6 |
|
Have control requirements been established for requesting, establishing, and issuing user accounts? |
|
Yes |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Infrastructure Access 7 |
|
How often is a review of accounts and related privileges conducted? |
|
Accounts with access to confidential data are reviewed =<6 months |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Infrastructure Access 8 |
|
Are controls in place to ensure all user activities on IT systems are uniquely identifiable? |
|
Yes, all user accounts have unique IDs and are not shared |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Infrastructure Access 9 |
|
Are access rights immediately adjusted for users who have changed jobs? |
|
Yes, as requested by management |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Infrastructure Access 10 |
|
Is a documented termination procedure followed which includes the removal of access rights? |
|
Yes, process is documented and access is removed within one business day of termination and immediately for emergency termination. |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Application Password Controls 1 |
|
Does the application that houses Whirlpool information conform to the exact access and password controls for your infrastructure? |
|
Yes |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Application Password Controls 2 |
|
Does the authentication method to gain access to the application utilize passwords? |
|
Passwords are used |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Application Password Controls 3 |
|
What is the minimum password length available to end-users? |
|
Requires at least 6 characters |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Application Password Controls 4 |
|
How often are end-users forced to change their passwords for the application? |
|
Quarterly |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Application Password Controls 5 |
|
What are the minimum application password complexity requirements being enforced for end-users? |
|
Mixed case alphabetic, numeric, and plus special characters |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Application Password Controls 6 |
|
Are end-users restricted from using previous application passwords (password history)? |
|
No password re-use restrictions |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Application Password Controls 7 |
|
Are users forced to change their application password during first login? |
|
Users are forced to change passwords on first login |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Application Password Controls 8 |
|
Are passwords hidden during authentication? |
|
Passwords characters are masked |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Application Password Controls 9 |
|
Is a complete & current mechanism in place to report & reset lost or compromised application passwords? |
|
Secure self service password reset mechanism |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Application Access Controls 1 |
|
When the application authentication fails, is the user informed of which portion of the authentication process failed? |
|
Message indicates which portion of the authentication process failed |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Application Access Controls 2 |
|
Are application authentication credentials securely communicated across the network? |
|
Authentication credentials are securely encrypted using industry standards |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Application Access Controls 3 |
|
Are application accounts locked after several failed login attempts? |
|
Locked after 3 or more failed attempts |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Application Access Controls 4 |
|
How long before the system automatically re-enables the application account after an account lock out? |
|
No auto unlock, manual administrator unlock only |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Application Access Controls 5 |
|
How often are application accounts reviewed for deactivation (due to inactivity, termination, etc)? |
|
Recurring =<6 months |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Application Access Controls 6 |
|
Have application control requirements been established for requesting, establishing, and issuing user accounts? |
|
Yes |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Application Access Controls 7 |
|
How often is a review of application accounts and related privileges conducted? |
|
Accounts with access to confidential data are reviewed =<6 months |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Application Access Controls 8 |
|
Are controls in place to ensure all user activities in the application are uniquely identifiable? |
|
Yes, all user accounts have unique IDs and are not shared |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Application Access Controls 9 |
|
Are application access rights immediately adjusted for users who have changed jobs? |
|
Yes, as requested by management |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Application Access Controls 10 |
|
Is a documented termination procedure followed which includes the removal of application access rights? |
|
Yes, process is documented and access is removed within one business day of termination and immediately for emergency termination. |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Vendor Portal Access and Password Control 1 |
|
Do you provide access to a web based portal? |
|
Yes |
* |
|
|
|
|
|
|
|
Does is conform with Infrastructure or Application password controls? |
2 |
|
|
|
|
WVA: Vendor Portal Access and Password Control 2 |
|
Does the web portal access and password controls conform to either the infrastructure or application password and access controls? |
|
Yes |
* |
Yes |
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Vendor Portal Access and Password Control 3 |
|
Does the authentication method to gain access to the portal utilize passwords? |
|
Passwords are used |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Vendor Portal Access and Password Control 4 |
|
What is the minimum password length available to end-users? |
|
Requires at least 6 characters |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Vendor Portal Access and Password Control 5 |
|
How often are end-users forced to change their passwords for the portal ? |
|
Quarterly |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Vendor Portal Access and Password Control 6 |
|
What are the minimum portal password complexity requirements being enforced for end-users? |
|
Mixed case alphabetic, numeric, and plus special characters |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Vendor Portal Access and Password Control 7 |
|
Are end-users restricted from using previous portal passwords (password history)? |
|
No password re-use restrictions |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Vendor Portal Access and Password Control 8 |
|
Are users forced to change their portal password during first login? |
|
Users are forced to change passwords on first login |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Vendor Portal Access and Password Control 9 |
|
Are passwords hidden during authentication? |
|
Passwords characters are masked |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Vendor Portal Access and Password Control 10 |
|
Is a complete & current mechanism in place to report & reset lost or compromised portal passwords? |
|
Secure self service password reset mechanism |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Vendor Portal Access and Password Control 11 |
|
When the portal authentication fails, is the user informed of which portion of the authentication process failed? |
|
Message indicates which portion of the authentication process failed |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Vendor Portal Access and Password Control 12 |
|
Are portal authentication credentials securely communicated across the network? |
|
Authentication credentials are securely encrypted using industry standards |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Vendor Portal Access and Password Control 13 |
|
Are portal accounts locked after several failed login attempts? |
|
Locked after 3 or more failed attempts |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Vendor Portal Access and Password Control 14 |
|
How long before the system automatically re-enables the portal account after an account lock out? |
|
Auto unlock after 30 minutes or more |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Vendor Portal Access and Password Control 15 |
|
How often are portal accounts reviewed for deactivation (due to inactivity, termination, etc)? |
|
Recurring =<6 months |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Vendor Portal Access and Password Control 16 |
|
Have portal control requirements been established for requesting, establishing, and issuing user accounts? |
|
Yes |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Vendor Portal Access and Password Control 17 |
|
How often is a review of portal accounts and related privileges conducted? |
|
Accounts with access to confidential data are reviewed =<6 months |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Vendor Portal Access and Password Control 18 |
|
Are controls in place to ensure all user activities in the portal are uniquely identifiable? |
|
Yes, all user accounts have unique IDs and are not shared |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Vendor Portal Access and Password Control 19 |
|
Are portal access rights immediately adjusted for users who have changed jobs? |
|
Yes, as requested by management |
* |
|
|
|
|
|
|
|
|
|
|
|
|
|
WVA: Vendor Portal Access and Password Control 20 |
|
Is a documented termination procedure followed which includes the removal of portal access rights? |
|
Yes, process is documented and access is removed within one business day of termination and immediately for emergency termination. |
* |
|
|
|
|
|
|
|
|
|
|
|
Short Name |
|
Question / Description |
|
Answer / Value |
|
|
|
|
|
|
|
|
|
|
|
|
Vendor Access to Whirlpool Data Types |
|
What type of Whirlpool data does the vendor have access to? |
|
Select at least 1 |
* |
|
|
|
|
|
|
Employee Compensation |
|
|
|
|
|
|
|
Country Specific Personal ID (e.g. social security number[US], social insurance number[Canada]) |
|
|
|
|
|
|
|
Employee Health Information |
|
|
|
|
|
|
|
Employee Criminal Information |
|
|
|
|
|
|
|
Employee Contact Information |
|
|
|
|
|
|
|
Employee Benefits Information |
|
|
|
|
|
|
|
Employee Performance/Talent Ratings |
|
|
|
|
|
|
|
Employee Emergency Contact Information |
|
|
|
|
|
|
|
Employee Demographic Information |
|
|
|
|
|
|
|
Credit Card Information |
|
|
|
|
|
|
X |
Consumer Contact Information |
|
|
|
|
|
|
|
Customer Service Center Call History |
|
|
|
|
|
|
|
Prospective Customer Information |
|
|
|
|
|
|
|
Consumer Demographic Information |
|
|
|
|
|
|
|
Pre-release Financial Information |
|
|
|
|
|
|
|
Business Development Information |
|
|
|
|
|
|
|
Board and Executive Committee Materials |
|
|
|
|
|
|
|
Restructuring Information |
|
|
|
|
|
|
|
Corporate Strategy |
|
|
|
|
|
|
|
Regional Trade Sensitive Information |
|
|
|
|
|
|
|
Aggregate Corporate Forecast and Planning Information |
|
|
|
|
|
|
|
Historical Earnings Information |
|
|
|
|
|
|
|
Capital Plan and Spend Information |
|
|
|
|
|
|
|
Treasury Information |
|
|
|
|
|
|
|
Tax Information |
|
|
|
|
|
|
|
Internal Audit Information |
|
|
|
|
|
|
|
Supply Chain Cost Information |
|
|
|
|
|
|
|
IS Security Incident Information |
|
|
|
|
|
|
|
IS Vulnerability Information |
|
|
|
|
|
|
|
Application Code and Documentation |
|
|
|
|
|
|
|
System Performance Information |
|
|
|
|
|
|
|
Detailed System Information |
|
|
|
|
|
|
|
|
|
|
Vendor Access to Whirlpool Data |
|
What type of access does the vendor have to Whirlpool data? |
|
Select at least 1 |
* |
|
|
|
|
|
X |
Systemic |
|
|
|
|
|
|
|
Adhoc or Limited |
|
|
|
|
|
|
|
Read Only Access |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Whirlpool Corporation Page 1 of 1 Confidential |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
No, back-up copies are stored onsite |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Yes, DMZ’s exist for internal and external network |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Users are not forced to change passwords on first login |
|
|
|
|
|
|
|
|
|
|
|
Users are forced to change passwords on first login |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Manual reset password process via Helpdesk with no user identification mechanism |
|
|
|
|
|
|
|
|
|
|
|
Manual reset password process via Helpdesk with a mechanism to positively ID user |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Ad hoc reviews and updates |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Accounts are reviewed on a ad hoc basis |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Users are not forced to change passwords on first login |
|
|
|
|
|
|
|
|
|
|
|
Users are forced to change passwords on first login |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Manual reset password process via Helpdesk with no user identification mechanism |
|
|
|
|
|
|
|
|
|
|
|
Manual reset password process via Helpdesk with a mechanism to positively ID user |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Ad hoc reviews and updates |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Accounts are reviewed on a ad hoc basis |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Users are not forced to change passwords on first login |
|
|
|
|
|
|
|
|
|
|
|
Users are forced to change passwords on first login |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Manual reset password process via Helpdesk with no user identification mechanism |
|
|
|
|
|
|
|
|
|
|
|
Manual reset password process via Helpdesk with a mechanism to positively ID user |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Ad hoc reviews and updates |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Accounts are reviewed on a ad hoc basis |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|